Scanning Parameter-Based Navigation Websites for Vulnerabilities

Parameter-based navigation websites use the same URL and parameter, but different parameter values to either serve different content or do different things in general. Below are two examples of the URLs used in parameter-based navigation websites. The first example is of a PHP website and the second one is of an ASP.NET website.

Parameter-Based Navigation PHP Website

http://example.com/index.php?page=home

http://example.com/index.php?page=support

http://example.com/index.php?page=contact

http://example.com/index.php?page=pricing

In the above example, a different parameter value is used in the URL to display different content. For example when the value of the parameter page is home, the home page is loaded. When the value of the same parameter page is support, the support page is loaded. Therefore in such case each parameter value is triggering the execution of different code branches to return the different content.

Parameter-Based Navigation ASP.NET Website

ASP.NET Web Forms have a process mechanism called Postback, which is used to control server-side events. It allows the execution of different code branches depending on the "__EVENTTARGET" parameter's value. Some examples follow.

The above will execute LinkButton1's click event handler on the server-side.

On the other hand this will execute LinkButton2's click event handler on the server-side.

The Challenge of Scanning Parameter-Based Navigation Websites

These options are used to optimize the crawling of similar pages. However, if the target website uses parameter-based navigation these settings will prevent Netsparker to crawl and scan the entire website properly.

You can increase the values of the above mentioned options but you will be prolonging the scan duration. Also, such workaround will still have some limitations because the Netsparker scanners will only attack the first instance of the page and ignore the rest, as explained with the below example.

http://example.com/index.php?page=product&id=1

Netsparker will crawl the above page and its parameters page and id.

http://example.com/index.php?page=pricing&id=2

Netsparker will ignore this version of the page since it has the same URL and parameters page and id, which it has already crawled and scanned. Therefore it is ignoring the parameter value, which in parameter-based navigation is used to trigger different code that needs to be scanned.

To address this limitation and successfully crawl and scan parameter-based navigation websites we introduced two new options in Netsparker scanners. These settings and their configuration are mentioned below.

To enable such technology, enable the crawling of parameter-based navigation websites by checking the checkbox Enable Parameter-Based Navigation. Then configure the following settings:

Navigational Parameter RegEx: This option has a regular expression that is used to match the parameters' name. Therefore when a parameter name matches this regular expression it will be considered as a navigation parameter. The parameter can be either a GET or a POST parameter. The default RegEx both Netsparker scanners are configured with is:

^(page|redirect|goto|ctrl|content|__EVENTTARGET)$

Maximum Page Visits: The maximum number of times the scanner should visit such page. This number should be greater than the number of different values there are for a navigational parameter. The default value is 999.